Transatlantic data flows under renewed threat following top EU court’s ruling
Last week, Europe’s highest court issued what might seem a fairly obscure ruling on an agreement between the EU and Canada on the transfer of passenger data between the two regions. In fact, the implications of the judgment by the Court of Justice of the European Union (CJEU) are far reaching, and are likely to have a major impact on the flow of all personal data across the Atlantic.
The original agreement on the Passenger Name Record (PNR) data was signed in 2014. It allows the systematic and continuous flow of information to the Canadian authorities about all EU air passengers flying to that country. PNR data includes a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health, and may even include other highly-sensitive information about the air passengers.
The aim is to process the PNR data automatically before the passengers arrive in Canada, allowing individuals possibly involved in terrorism or other serious transnational crimes to be spotted and then interviewed or arrested when the plane lands. The personal data is stored on a Canadian database for five years after it is supplied, and may also be transferred to other authorities within Canada, and even outside – to those in the US, for example.
It is these very wide permissions that the CJEU has now found to be illegal under EU privacy law, after the European Parliament asked it to rule on the matter. It is the first time the Court has been called upon to give a ruling on the compatibility of a draft international agreement with the EU Charter of Fundamental Rights, which makes its negative response even more significant. As the Court’s press release on the judgment put it:
“The Court observes, therefore, that the transfer of PNR data from the EU to Canada, and the rules laid down in the envisaged agreement on the retention of data, its use and its possible subsequent transfer to Canadian, European or foreign public authorities entail an interference with the fundamental right to respect for private life. Similarly, the envisaged agreement entails an interference with the fundamental right to the protection of personal data.”
The CJEU went on to identify other aspects of the PNR agreement that were incompatible with fundamental EU privacy rights. For example, the fact that the PNR data was stored for five years even for people that were not suspected of involvement with terrorism or transnational crime. Although the Court emphasized that the basic idea of transferring PNR data for the purpose of combatting terrorism or crime was acceptable, if done properly, it ruled that:
“Since the interferences which the envisaged agreement entails are not all limited to what is strictly necessary and are therefore not entirely justified, the Court concludes that the envisaged agreement may not be concluded in its current form.”
It is not possible to appeal against CJEU rulings, so the EU must now re-negotiate the PNR agreement with Canada before it can be implemented. But the implications of the Court’s decision go much further, since there are two other very similar PNR agreements – one with the US, the other with Australia. Given the reasons the Court rejected the EU-Canada PNR agreement, it seems highly likely that those other deals would also be considered illegal under EU law. If the EU does not suspend and re-negotiate those other agreements, legal challenges by EU privacy groups are almost certain, especially given the high probability of success.
PNR data is just one kind of personal data, which now plays a key role in most online activities. The CJEU’s latest ruling is likely to have an impact on all such personal data flows leaving the EU because it reinforces two earlier judgements on the same theme.
In April 2014, the Court ruled that the EU’s data retention strategy, brought in like the PNR as a way to tackle terrorism and crime, was illegal. The reasoning was that by collecting everyone’s online activities, the EU law was not “limited to what is strictly necessary” – a key requirement for legislation that affects privacy. The CJEU affirmed this position in October 2015, when it held that the European Commission’s “Safe Harbor” framework, which allowed the personal data of EU citizens to be transferred to the US, was invalid under EU laws. It ruled that the US authorities’ broad access to EU citizens’ personal data was disproportionate and therefore illegal:
“under EU law, [Safe Harbor] legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made”
Last week’s CJEU ruling on the PNR agreement with Canada confirms that the “strictly necessary” criterion is central to the CJEU’s consideration of whether international deals affecting the basic privacy of EU citizens are legal. That’s important, because the replacement for the failed Safe Harbor framework, known as “Privacy Shield“, is coming up for its first review. Many privacy organizations and digital rights groups believe that the Privacy Shield approach does not meet the “strictly necessary” requirement in terms of the personal data that is collected and used by the US authorities. Human Rights Watch and Amnesty International have just written an open letter to Věra Jourová, the EU Commissioner for Justice, Consumers and Gender Equality, in which they lay out why they consider US surveillance laws and programs so broad and contain such weak safeguards that they render Privacy Shield invalid. There is already one legal challenge to the deal working its way through the EU legal system.
If Human Rights Watch and Amnesty International are right, and the court throws out Privacy Shield, it will not be available for US Internet companies like Facebook or Google to use as the legal basis for moving EU citizens’ personal data across the Atlantic. That means US companies have to find alternative frameworks – no easy task – or else keep all EU personal data within the EU, something they say they are unwilling to do. Last week’s CJEU judgment striking down the Canadian PNR deal is a reminder that this key privacy problem of transatlantic data transfers is still unresolved.
Featured image by Brian Burnell.